Nmap - TCP SYN scan

What is the default Nmap scan type when nmap is not provided with a scan type flag?
  1. A TCP FIN scan
  2. A TCP connect scan
  3. A TCP SYN scan
  4. A UDP scan

By default, nmap uses a TCP SYN scan. If the user does not have proper socket privileges (such as root on a Linux system), it will use a TCP connect scan.



TCP SYN Scan

The TCP SYN scan is the default scan that runs against the target machine. It is the fastest scan. You can tweak it to make it even faster by using the –n option, which would tell the nmap to skip the DNS resolution. This diagram illustrates how a TCP SYN scan works:
The source machine sends a SYN packet to port 80 in the destination machine.
If the machine responds with SYN/ACK packet, Nmap would know that the particular port is open on the target machine.
The operating system would send a RST (Reset) packet in order to close the connection, since we already know that the port is open.
However, if there is no response from the destination after sending the SYN packet, the nmap would know that the port is filtered.
If you send a SYN packet and the target machine sends a RST packet, then nmap would know that the port is closed.


Command: The command/syntax for the TCP SYN scan is as follows:

nmap –sS


or

nmap -sS -n {IP} -p 80

You can see that I have specified two additional parameters (–n and –p). The –n parameter tells the nmap not to perform the name resolution; this is commonly used to increase the speed of the scan. The –p parameter is used to specify the ports to scan, which in this case is port 80.